Guidance

Scope of Guidance

Please note that the Personal Data Protection Commission (PDPC) generally does not review and advise organisations on their business activities, procedures or data protection policies, or provide legal advice.

The PDPC's goal in providing guidance is to reduce the uncertainty an organisation may face with respect to its compliance with specific obligations under the PDPA and its regulations in the context of its particular factual situation, and not to advise, recommend or confirm that an organisation should or should not adopt any particular course of action.

Conditions of Guidance

Any guidance provided by the PDPC to an organisation shall be subject to the scope of guidance set out above and the following additional conditions:

The PDPC may request for additional clarifications or information from the organisation that the PDPC considers necessary or relevant to address the organisation's queries. In such a situation, the organisation shall ensure that its representative is duly authorised to provide any clarification or other information requested by the PDPC and communicate or otherwise deal with the PDPC on all matters relating to its queries.

To allow similarly situated organisations to also benefit from the guidance provided by the PDPC, the PDPC reserves the right to publish all or part of the guidance provided to the organisation, including a summary of the factual situation or any other information provided by the organisation, upon redacting the name of the organisation and any confidential information provided (and identified as such) by the organisation.

If the organisation considers that the PDPC should treat any part of the information it has submitted as confidential, the organisation must set out that part of the information in a separate section marked “confidential information” and provide a written explanation as to why the information is confidential.

The PDPC may at any time decline to provide guidance at its discretion, such as in the following situations:

The subject matter of the organisation's queries is already substantially addressed in existing resources published by the PDPC. In these situations, the PDPC will direct the organisation to the relevant resources;

The subject matter of the organisation's queries is related to a matter that is under formal investigation;

The information provided by the organisation is insufficient for the PDPC to provide guidance;

The request for guidance is not from the organisation that is collecting, processing and/or disclosing the personal data in question, but from a third party organisation;

The burden or expense of providing such guidance would be excessive as determined by the PDPC; or

The queries made are repetitive, trivial, frivolous or otherwise vexatious.

If the information provided by the organisation reveals possible non-compliance with the PDPA, the the PDPC reserves the right to take such action as it considers appropriate taking into account all relevant factors, including (where applicable) good faith attempts by the organisation to comply with its obligations under the PDPA. In the event of a complaint against the organisation, the PDPC may conduct an investigation notwithstanding any guidance provided.

Any guidance provided shall be based on the information provided by the organisation and may not apply in other factual situations or to other organisations. Guidance provided shall be for the organisation’s sole use and shall not be disclosed to any other party without the PDPC’s written consent.

Any guidance provided to the organisation shall not amount to a decision by the PDPC under the PDPA and is therefore subject to future decisions of the PDPC, the Data Protection Appeal Panel and the Courts.

The organisation should consider any guidance provided by the PDPC and ensure that any action it takes is in compliance with the PDPA and all other applicable laws. In any case, the organisation shall remain solely and fully responsible and liable to comply with the PDPA and all applicable laws, including (but not limited to) making its independent decisions on how to organise and conduct its business activities, procedures and data protection policies so as to comply with its obligations under the PDPA.